CH logo® Knowledge Base
Contents Search
   

 

Flow Tags

Note: These settings are accessed via the Admin menu, which is displayed to Admin users only (hidden from Member users).

Kentik supports the use of user-defined flow tags that can make it more convenient to query the Kentik Data Engine (KDE). The setup of tags in the Kentik portal is discussed in the following topics:

Note: For information on querying with tags, see Tag-based Queries.

 

 
 top

About Flow Tags

Flow Tags are labels that are applied to flow data, based on user-defined criteria, as Kentik ingests the data into the Kentik Data Engine (KDE). Because tags are applied as the data is ingested, a tag must already be created before it can be applied to a given flow record (tags cannot be applied retroactively to rows that already exist in the database). However, because Kentik stores complete flow rather than summaries, historical queries are not limited to flow attributes that have been defined in advance with tags. In other words, tags enhance your querying options, but they in no way limit or filter the data that is stored in KDE.

Flow Tags are created in the portal (see Adding a Flow Tag) or via one of the following Kentik V5 APIs (see About the V5 APIs):

When each flow record is sent to Kentik from a given device, the data is evaluated to determine if any of its attributes match any of the existing tags set up by a given customer.

  • If all of the values specified in the ANDed tag fields for a given tag are matched in SRC-related flow fields (i.e. SRC IP, SRC port, ASN path associated with SRC IP, or communities associated with SRC IP) then the tag’s name is appended as text to the existing tags (if any) in the src_flow_tags column for that flow.
  • If all of the values specified in the ANDed tag fields for a given tag are matched in DST-related flow fields (i.e. DST IP, DST port, ASN path associated with DST IP, or communities associated with DST IP) then the tag’s name is appended as text to the existing tags (if any) in the dst_flow_tags column for that flow.

Note: Because the tag fields are ANDed for each of the two comparison operations described above, a tag will be applied only when all tag fields are matched.

The result of the tagging process is that the src_flow_tags and dst_flow_tags columns of each device’s main table contain a delimited list of tags that can be searched as part of a KDE query.

Note: For greater detail about how tags are applied to flow in KDE, see Tag-based Queries.

 

 
 top

Flow Tags Page

The Flow Tags page is home to the Flow Tag List, which is a table that lists all of your organization’s existing tags. To view the page, choose Admin from the main Kentik Detect navbar, then Flow Tags from the sidebar at left. The Flow Tags page is covered in the following topics:

 

 
 top  |  section

Flow Tags Page UI

The Flow Tags page has the following main UI elements:

  • Filter field: Enter text to filter the Flow tag List. The following columns of the list are searched for a match on the string entered in this field: Tag Name, Edited By, and ID.
  • Add Tag button: Opens the Add Tag dialog (see Adding a Flow Tag).
  • Flow Tag List: A table listing the flow tags currently set up in your organization (see Flow Tag List).

 

 
 top  |  section

Flow Tag List

The Flow Tag List is a table that lists all of your organization’s currently defined flow tags. The table provides the following information and actions for each tag:

  • Tag Name: The name of the Flow Tag as specified at the time the Flow Tag was created. Click on a name to go to the Edit Flow Tag page for that Flow Tag.
  • Last Edited: The date on which the subscription was last edited. Hover over the date for a tool tip with the full date-time (UTC).
  • Edited by: The email address of the person who last modified the tag.
  • Created: The date on which the subscription was created. Hover over the date for a tool tip with the full date-time (UTC).
  • ID: The system-generated unique ID assigned when the Flow Tag is created.
  • View in Chart: Opens a dialog showing the total traffic (expressed as max bits/second) for the last 24 hours that had either source flow (Source button) or destination flow (Dest button) filtered by this tag.
    - Use the display type drop-down at upper right to change the type of chart.
    - Click the View in Explorer button to open the chart in Data Explorer for further exploration of that traffic.
  • Delete: Opens a confirming dialog that allows you to remove the tag from Kentik.

Click on a column heading to sort the list (ascending or descending).

Note: To see additional information about a given flow tag, click anywhere in the row for that flow tag, which opens a Edit Tag dialog where you can review settings (see Editing a Flow Tag).

 

 
 top

Tag Admin Dialogs

Adding or editing a flow tag via the Kentik portal involves specifying information in the fields of the tag admin dialogs, which are covered in the following topics.

Note: Tags can also be added and edited with either the Tag API or the Batch API.

 

 
 top  |  section

About Tag Dialogs

The Kentik portal uses tag admin dialogs to collect and display flow tag information. The required information is entered into the fields of either of the following dialogs:

  • Add Tag when adding a new tag to Kentik.
  • Edit Tag when editing an existing tag.

 

 
 top  |  section

Tag Dialogs UI

The Add Tag and Edit Tag dialogs share the same layout and the following common UI elements:

  • Close button: Click the X in the upper right corner to close the dialog. All elements will be restored to their values at the time the dialog was opened.
  • Tab selectors: Choose the tab to display (see tab-specific topics below).
  • Remove button (Edit Tag dialog only): Remove the tag from your organization’s collection of Kentik-registered tags.
  • Cancel button: Cancel the add tag or edit tag operation and exit the dialog. All elements will be restored to their values at the time the dialog was opened.
  • Add Tag button (Add Tag dialog only): Save settings for the new tag and exit the dialog.
  • Save button (Edit Tag dialog only): Save changes to tag settings and exit the dialog.

 

 
 top

Tag Field Definitions

The fields of the tag admin dialogs are used to specify and display flow tag settings. These fields are described in the following topics:

 

 
 top  |  section

About Tag Fields

Each tag admin dialog is broken into the tabs covered in the topics below, each of which is made up of a number of fields. Creating a flow tag requires specifying a name in the Tag Name field, and specifying additional tag attribute fields that will be evaluated for a match with fields in the incoming flow (or with values derived from fields in the flow). The fields that can be used to define tags are described in the topics below.

The validation columns in each table below indicate whether or not the following validations will be applied to a given tag field:

  • Comma: Comma-delimited list
  • Database: Database patterns (e.g. % and _)
  • Regex: Regex

Note: For additional information on validation of tag field values, see Tag Field Validation.

 

 
 top  |  section

General Tag Settings

The following table shows the settings on the General tab of tag admin dialogs:

Field Description Comma Database Regex
Tag Name The string that will be added to the src_flow_tags and/or dst_flow_tags column in the main KDE table of the device sending flow when a match is found in the flow for the values in any of the following fields.
Notes:
- A tag name must be from 2 to 20 characters long: alphanumeric, hyphen, or underscore (no spaces).
- A tag name must be unique, but tags whose names contain a common string can be ORed in a query (e.g. “tag1” and “tag2” both contain “tag”).
No No No

 

 
 top  |  section

Tag Device Settings

The following table shows the settings on the Device Matching tab of tag admin dialogs:

Field Description Comma Database Regex
Device name Results in a match if this value appears within the name or equals the IP address of a device that has been configured to send flow records to Kentik Detect. If there’s a match, the tag is applied to both src_flow_tags and dst_flow_tags columns. Yes Yes No
Device type Router or host (e.g. nProbe), as specified by the user when creating the device. Yes No Yes
Site Results in a match if this value appears within the name of a site to which the device sending the flow record to Kentik has been assigned (see About Sites). Yes No Yes
Interface name/description Results in a match if this value appears within the name or description of a source or destination interface. If there’s a match, the tag is applied to the src_flow_tags column if the received flow shows traffic entering on the interface, and a tag is applied to the dst_flow_tags column if the received flow shows traffic leaving on the interface. Yes Yes Yes

 

 
 top  |  section

Tag IP Settings

The following table shows the settings on the IP Matching tab of tag admin dialogs:

Field Description Comma Database Regex
IP addresses (IP/CIDR format) Expressed in IPv4 or IPv6 CIDR notation (e.g. 38.12.34.0/24; see CIDR Notation), this value will result in a match if it corresponds to a range of IP addresses in the flow, either source (SRC IP) or destination (DST IP). If there’s a match, the tag is applied to both src_flow_tags and dst_flow_tags columns.
Note: This field can contain up to 249 IP/CIDR items in a comma-delimited list.
Yes No No
Port Results in a match if this value appears within a port number in the flow, either source (SRC Port) or destination (DST Port). Yes No No
TCP flag An integer number between 0 and 255 representing an 8-bit binary bit pattern. At ingest this pattern is used as a bitmask that is ANDed with the composite (ORed) bit pattern of the TCP flags set in the flow. A match will result if the value in both the flow bit pattern and the bitmask is 1 at any of the eight places. No No No
Protocol name/number Results in a match if this value is the same as the protocol of the traffic represented by the flow. The protocol of TCP is 6, and of UDP is 17. Yes No No

 

 
 top  |  section

Tag BGP Settings

The following table shows the settings on the BGP Matching tab of tag admin dialogs:

Field Description Comma Database Regex
Last-hop (origin) ASN Results in a match if this value is the same as the last ASN (16- or 32-bit) in the path in the routing table for either the source (SRC IP) or destination (DST IP). Yes No No
Last-hop (origin) AS Name Results in a match if this value represents the name corresponding to the last ASN in the path in the routing table for either the source (SRC IP) or destination (DST IP). Yes No Yes
Next Hop ASN Results in a match if this value is the same as the ASN (16- or 32-bit) of the next hop router based on AS path. Yes No No
Next-hop AS Name Results in a match if this value represents the name corresponding to the ASN of the next hop router based on AS path. Yes No Yes
Next-hop IP If a CIDR grouping (IPv4 or IPv6) is specified, a match can be on any address within that grouping. If no CIDR grouping is specified a match requires an exact IP.
- CIDRs may be expressed in “short form” (e.g. 1::2/127).
Yes No No
BGP AS Path Results in a match if this value is the same as the BGP AS path in the route (see Specifying BGP Tag Fields). Yes No Yes
BGP Community Results in a match if this value is the same as the BGP community of BGP route. May be specified with a form of regex (see Specifying BGP Tag Fields). Yes No Yes

 

Specifying BGP Tag Fields

The collection of BGP data by Kentik Detect allows incoming flows to be assigned tags that match communities and AS paths or partial paths. Flow Tags are applied (separately for source and destination) at the time that flow is ingested into KDE. They can then be used to narrow query results by applying them using src and dst filter functions in the Data Explorer and Query Builder pages of the Kentik Detect portal.

Note: A given tag is applied only to flows that arrive after the tag was created. A new tag may take up to 20 minutes to take effect.

Matches on the BGP-related tag fields are made on substrings. For ASN and Next Hop ASN, the string(s) to match are specified in a simple comma-delimited list. For both the BGP AS Path and BGP Community fields the specified values are also evaluated using a subset of standard regex (see table below):

  • BGP AS path tags: Entering “10” in the as-path field will match any path that includes “10”, “100”, “010”, etc. Using regex, a value of “_10_” will match only paths that include ASN 10, including “10 “, “ 10”, and “ 10 “. Also allowed are tags where as-path is specified as, for example, “_10 100_”.
  • BGP community tags: Flow Tags on communities are similar to tags on AS paths except that they also support the use of regex periods. This allows you to specify, for example, “2000:1....” to find any flow with community 2000:1xxxx in it.

The following table shows the regex special characters that are supported when specifying the BGP AS Path and BGP Community:

Special Character Matches...
_
(underscore)
start of string
end of string
“ “ (space)
. Any single character, including white space
[ ]
The characters, or a range of characters separated by a hyphen, contained within square brackets.
^ The character or null string at the beginning of an input string.
? Zero or one occurrence of the pattern containing the question mark.
$ End of string
* Zero or more sequences of the preceding character. Also acts as a wildcard for matching any number of characters.
+ One or more sequences of the preceding character.
() Used for nesting of expressions.

Note: For BGP community and AS path tags, any spaces at the beginning or end of the input field and also before and after each comma will be removed.

 

 
 top  |  section

Other Tag Settings

The following table shows the settings on the Other tab of tag admin dialogs:

Field Description Comma Database Regex
MAC Address Results in a match if this value matches source or destination Ethernet (L2) address. Yes No No
Country Results in a match if this value includes a two-letter country code associated with the source or destination IP of the flow. Yes No No
VLAN(s) Results in a match if this value includes a VLAN ID associated with the source or destination IP of the flow. Yes No No

Note: The Validation codes used in the table above are defined in Tag Field Validation.

 

 
 top  |  section

Tag Field Validation

The following general considerations apply to the validation of values in the tag fields described in Tag Field Definitions:

  • Some fields support the entry of multiple values as a comma-delimited list (see tables above).
  • Commas are supported only as list delimiters (not in actual values or regex).
  • Some fields support the use of database patterns (see tables above).
  • In fields where regex is supported (see table below), a period (“.”) may be used in place of a comma.
  • The BGP AS Path and BGP Community tags use PostgreSQL POSIX Extended Regular Expressions. For additional information, see Specifying BGP Tag Fields.
  • All other tags that support regex use PostgreSQL Advanced Regular Expressions.

Note: Documentation for PostgreSQL regex and database patterns can be found at PostgreSQL documentation:
- Database patterns are documented under “LIKE.”
- Regular expressions are documented under “POSIX Regular Expressions.”

 

 
 top

Add or Edit Tags

Flow Tags are created and edited via theFlow Tags page of the Kentik Detect portal (choose Flow Tags from the drop-down Admin menu). The add/edit process is covered in the following sections:

Note: Tags can also be added and edited with either the Tag API or the Batch API.

 

 
 top  |  section

Adding a Flow Tag

To add a new tag:

  1. Go to the Flow Tags page (choose Admin from the Kentik navbar, then Flow Tags from the sidebar at left).
  2. Open the Add Tag page by clicking the Add Tag button.
  3. Name the tag in the Tag Name field.
  4. Specify the values of the tag fields that will be evaluated for a match with the properties of the incoming flow (see Tag Field Definitions).
  5. Click the Save button (bottom right) to save the new tag with the currently specified values, after which you’ll be taken back to the Flow Tags page.

Note: A tag name must be unique, but tags whose names contain a common string can be ORed in a query (e.g. “tag1” and “tag2” both contain “tag”).

 

 
 top  |  section

Editing a Flow Tag

To edit an existing tag:

  1. Go to the Flow Tags page (choose Admin from the Kentik navbar, then Flow Tags from the sidebar at left).
  2. In the Flow Tag List, open a Edit Tag dialog by clicking in the row of the tag that you’d like to edit.
  3. Edit the tag fields that you’d like to change (see Tag Field Definitions).
  4. To save changes, click the Save button at bottom right.

 

 
 top

Add a MYNETWORK Tag

Kentik recommends that all customers create a tag called MYNETWORK to represent their network. A MYNETWORK tag allows a user to quickly and easily see whether traffic came from an internal or external source and is headed toward an internal or external destination. For information on querying using MYNETWORK tags, see MYNETWORK Tag Queries.

Like any other tag, a MYNETWORK tag is created in an Add Tag dialog in the portal (see Adding a Flow Tag). For a comprehensive MYNETWORK tag, specify one or more of the following tag fields:

  • ASN: list all of the internal ASNs (ASNs that your network is responsible for). If multiple ASNs are entered, separate with a comma, for example “ASN1,ASN2”, etc.
  • IP addresses in IP/CIDR format: list (using CIDR notation) all of the CIDR blocks on your network.
  • Interface Names or Descriptions: list all internal interfaces.
 

In this article: